Interview: Cesare Garlati, Chief Security Strategist, Prpl Foundation

In 2016, the danger posed by the Internet of Things (IoT) became a reality. Add in factors such as the Mirai botnet and industrial control systems, and the problem becomes more than just Fitbits being connected to the network.

The problem was countered with the first industry guidance in November 2016, when both the Department of Homeland Security and NIST issued documents on IoT: with the DHS advising manufacturers, services providers, developers and business-level consumers; while NIST went for more detail for manufacturers/developers with guidance on how to engineer safer products.

DHS Secretary Jeh Johnson said that the “growing dependency on network-connected technologies is outpacing the means to secure them,” so securing IoT became a matter of homeland security.

One initiative aiming to make a difference to the issue of IoT is the Prpl Foundation, an open-source, community-driven, collaborative, non-profit foundation. Its chief security strategist, Cesare Garlati, was one of the many willing to make predictions for 2017 in this sector.

He said that attackers will continue to exploit the “always on” capabilities of smart devices, and the first line of defense to those devices: the home gateway. The second had much more devastating consequences, as Garlati said that either through direct tampering or remote control takeover of critical devices, he feared there will be loss of human life resulting from cases of hijacked IoT devices.

So what was the IoT in his view? He determined it as “embedded connected devices”, including connected cars, as it is embedded connected electronics and a rich connected system.

He said: “If you add rich embedded functionality and a rich operating system and if you have an application with building blocks, once together online they can be used for attack. This is different from a traditional computing device; you have something traditional there and a user and manned device, these [IoT] are unmanned and no one knows where they are, and there are literally millions.”

Garlati added that traditional computing is connected and embedded and features the capability to offer encryption, while with an IoT device you buy it and switch it on, and it becomes an “ideal target in terms of attack”.

In its first Global Smart Home Security Report, Prpl Foundation found that adoption of smart devices per household was strongest in the continental European nations of France (5.8 devices), Italy (5) and Germany (4.5), with the UK (2.6) and US (2.4) around the same level as each other. Working out as an average of 3.4 devices in the home, Garlati said that it doesn’t matter what or how many devices you have - you can have 25 devices or one, the problem is the “damage you can do with it”.

He said: “It is bad and I’ve been preaching for 18 months, but it would be nice for it to be more open and everyone needs to know that these toys can create serious problems.”

Ahead of the announcement of the NIST and DHS guidance, Garlati described the IoT sector as a 'Wild West', particularly in fixing the issues. Asked how it can be mended, he said that this needs to begin with end-users being aware of the dangers, but as an industry, understand the moral security of “millions of these things misbehaving”.

He made the point that devices come with hard coded passwords which cannot be changed, so unless the user patches the system, it does not get updated. “We asked people ‘when was the last time you updated your routers’ and 40% said they have never done so,” he explained.

“If the airbag is faulty, there is an entity which says that this is a danger for people as if the car doesn’t work it is not just you, but the damage you can do, so it is illegal to drive and sell the car and the vendor would be forced to fix the problem. Have you seen a recall of a router?”

He pointed to an issue where the FTC settled with ASUS about critical security flaws in its routers which put the home networks of hundreds of thousands of consumers at risk, so a proposed consent order required ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

Garlati concluded by arguing that you can stop a car on a highway when its lights are not working, but you cannot stop IoT when there is no legal framework. This led to his prediction that we will see human fatalities which have not happened yet, but will happen as devices are connected with physical objects – energy, power, cars. “How do you force 100,000s of people to update their camera? There is no legal framework for doing that,” he said.

Obviously this is a case that we as an industry want to avoid, but as the IoT spirals on with a focus on usability over security, this could be a worst scenario.